Rustock Botnet Flatlined with No Spam Activity

By Fahmida Y. Rashid |
Posted 2011-03-17

Rustock botnet, one of the most active spam-distribution botnets
in 2010, appears to have stopped sending out any of its Canadian pharmaceutical
spam, again.

The Rustock botnet ceased sending out spam midmorning of
March 16, said Mat Nisbet, malware data analyst at Symantec.cloud. According to
graphs posted March 17 on MessageLabs
Intelligence Blog, Rustock regularly alternates between high and low volumes,
so the spike before it stopped activity was not unusual, according to Nisbet. It's
not clear whether the lack of any activity coming from the botnet is the result
of law enforcement or some kind of a hardware issue, according to Nisbet.

It's also too early to tell whether Rustock has been taken
down or voluntarily closed, because Rustock
has gone quiet before. It was quiet over the holiday season when spam
activity stopped on Dec. 15. It resumed operations on Jan. 10, according to
Symantec's Marissa Vicario.

The botnet had some kind of disruption of its command-and-control
servers and its spam silence appears to be temporary, Troy Gill,
security analyst at AppRiver, told eWEEK.

Rustock accounted for as much as 47.5 percent of all spam
worldwide by the end of 2010. At its peak, it may have been responsible for
more than half of all spam, Nisbet said. However, Rustock's output has been
declining over the past few months and other botnets have been increasing their
spam volumes. The Bagle botnet, while it doesn't have the regular spikes and
dips that marked Rustock's performance, has a fairly consistent rate of output
and has lately increased its total volume, Nisbet said.

Before Christmas, Rustock was accountable for as much as 44
billion spam e-mails per day, according to Paul Wood, MessageLabs senior
intelligence analyst for Symantec Hosted Services. Within 24 hours of resuming operations in
January, it was pumping out 19 percent of global spam, Wood said.

Even while it wasn't sending spam, Rustock was still active
in other ways, particularly in click-fraud, where the bots simulate a
"click" on a Web page advertisement, according to Vicario. Click fraud
brings automatic revenue from the advertisers who charge on a "pay-per-click"
model to the botmasters, so it stands to reason that the botnet may be engaged
in other behaviors during this current downtime.

Estimates of Rustock's size vary. Wood said the botnet has
between 1.1 million and 1.7 million computers globally. Spamhaus' Composite
Spam Blocklist estimates at least 815,000 Windows computers are currently
infected with Rustock but said the number is a conservative estimate. On the
other hand, Gunter Ollmann, vice president of research at Damballa, considers those
estimates too high. Rustock didn't even make it into Damballa's most recent
report listing the top 50 largest botnets infecting computers in North America,
Ollmann told eWEEK.

The bad news is that even with this takedown of Rustock, there appears to be no real impact on total spam volumes. MessageLabs
Intelligence tracks spam and said traffic looks normal for this time of the
year.

The computers that are already infected with Rustock remain
infected, as well. These bots are essentially waiting for new instructions and
will continue to wait. The botmaster just needs to register a site name that
the individual bot will recognize. Once found, the bot will know where to go to
get the latest instructions and software updates and be back in operation
almost immediately.

The computers are still vulnerable to the same tactics and
exploits that caused them to join the botnet in the first place, Ollmann said.

It's still good news that one of the most prolific botnets
that clogged inboxes for almost all of 2010 will be offline at least for a
little while.